[Snort-users] Snort 1.7-beta0 and08292k.rules ERROR Line 518 => Content data needs to be enclosed in quotation marks (")!

Tye F. Hammerle thammer at ...445...
Sun Sep 24 21:25:22 EDT 2000


I just grabbed the latest snort via cvs, compiled and ran it. It
didn't like line518 in the 08292k.rules file. I can't see anything
wrong with it, all the content is in quotes. Am I missing something?

This is liine 518 from 08292k.rules;

alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER ";
nocase; offset:0; depth:5; content: " "; offset:11; depth:1; content:
" "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg:
"PrettyPark activity!";)


Here's the info snort gives;

# /usr/local/bin/snort -C -d -A full -i rl0 -c /etc/snort.master

Initializing Network Interface rl0
Decoding Ethernet on interface rl0
Initializing Preprocessors!
-------------------------------------------------
 Keyword     |       Preprocessor @
-------------------------------------------------
http_decode  :       0x10d64
minfrag      :       0x10fbc
portscan     :       0x11eac
portscan-ignorehosts:       0x12a04
defrag       :       0x16dbc
-------------------------------------------------

Initializing Plug-ins!
-------------------------------------------------
 Keyword     |      Plugin Registered @
-------------------------------------------------
content      :      0xf360
content-list :      0xf2d8
offset       :      0xf410
depth        :      0xf478
nocase       :      0xf4e0
regex        :      0xf57c
flags        :      0x1004c
itype        :      0x104c4
icode        :      0x1066c
ttl          :      0x107c0
id           :      0x10890
ack          :      0x1099c
seq          :      0x10acc
dsize        :      0x10bd8
ipopts       :      0x12b5c
rpc          :      0x12e3c
icmp_id      :      0x13070
icmp_seq     :      0x131c8
session      :      0x16494
tos          :      0x1b83c
-------------------------------------------------

Initializating Output Plugins!
-------------------------------------------------
 Keyword     |          Output @
-------------------------------------------------
alert_syslog :       0x132d8
log_tcpdump  :       0x13a7c
log_database :       0x14400
alert_fast   :       0x17fe0
alert_full   :       0x18178
alert_smb    :       0x182d4
alert_unixsock:       0x1893c
xml          :       0x18cfc
-------------------------------------------------


+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR Line 518 => Content data needs to be enclosed in quotation marks
(")!
#


Tye




More information about the Snort-users mailing list